Bun Rust Rewrite: Miri Uncovers Unsound Unsafe Code, Sparks Security Debate

A Core Soundness Violation in Bun's Rust Port

A significant security flaw has been exposed in the ongoing Rust rewrite of Bun, the high-performance JavaScript runtime. A GitHub issue filed on May 14, 2026, demonstrates that the codebase "fails even the most basic miri checks" and "allows for UB [undefined behavior] in safe rust." The issue includes a minimal reproduction case causing Miri, Rust's official undefined behavior checker, to flag a dangling reference error.

The core problem lies in the PathString::init function. This safe function accepts a reference to a byte slice (&[u8]) but internally uses unsafe code to store a raw pointer, effectively erasing the input's lifetime. This allows the returned PathString type, which is 'static, to outlive the data it points to, leading to use-after-free scenarios. As commenter JavaDerg explained, this "erases the lifetime and returns Self which is 'static. This is incredibly bad because it allows for use after free, invalid aliasing, etc."

Further analysis by the reporter, AwesomeQubic, noted the code also "erases provenance" and fails under Miri's strict provenance checks. A Bun collaborator, robobun, confirmed the issue and submitted a pull request (#30728) marking the problematic functions as unsafe and auditing approximately 70 call sites across the codebase. The fix pins the regression with a test to ensure the signatures remain unsafe.

The Broader Codebase Context and Community Reaction

This incident is not isolated. Following the initial report, GitHub Actions automatically referenced several other pull requests addressing similar unsafe code patterns in the Bun repository. These include replacements for unsafe blocks in ArrayHashMap (#30723), fixes to soundness bugs in the LinearFifo trait (#30724), and a safe rewrite of DynamicBitSet (#30730). This suggests the initial Rust translation introduced systemic issues with unsafe code handling.

The community reaction was swift and critical. Many commenters linked the problems directly to the project's admitted use of AI, specifically Anthropic's Claude, for the bulk of the rewrite. One user, mikuwithbeer, stated the project had become "a pure AI slop," criticizing the prioritization of proving AI capability over hiring expert Rust developers. The sentiment was echoed by others who argued Rust's safety guarantees are nullified by such unsound abstractions, potentially creating scenarios "far worse than what is typical in c/c++ code."

However, some defended the effort. User Warchamp7 framed it as "the courage to build, fail and learn in public," encouraging the team to continue fixing issues. Project founder Jarred Sumner subsequently indicated on social media that they are seeking to hire someone with Rust experience.

Technical Analysis: The Perils of Ignoring Lifetimes and Provenance

The fundamental error in PathString::init represents a classic misunderstanding of Rust's ownership system. When a type holds a pointer to data it does not own, it must explicitly track the lifetime of that data using generic parameters and often PhantomData markers. As TehPers explained, "The low level learning here is that lifetimes cannot be ignored." The high-level learning is that "all unsafe code should be reviewed very closely by someone experienced with writing Rust."

This incident highlights a critical gap in AI-assisted code translation. LLMs like Claude may generate syntactically correct Rust that compiles but can completely violate the language's semantic safety rules, especially around lifetimes, borrowing, and unsafe block invariants. The resulting code can be subtly and catastrophically broken, introducing memory corruption vulnerabilities that Rust is explicitly designed to prevent.

The situation draws a stark contrast with other careful language migrations, such as Andreas Kling's manual two-week rewrite of Ladybird's JavaScript engine components from C++ to Rust, which produced 30k lines of reviewed code.

A Cautionary Tale Amid a Broader Security Landscape

This discovery arrives amidst heightened awareness of foundational software security. Source 2 (Dark Reading) discusses how AI-generated code introduces new, unpredictable risks, forcing defenders to adapt. The Bun case is a concrete example of such "boring" but dangerous code—seemingly mundane utility functions that become security liabilities.

Simultaneously, the industry is grappling with long-lived vulnerabilities in critical infrastructure. Source 3 details CVE-2026-42945, an 18-year-old heap buffer overflow in NGINX's rewrite module affecting versions back to 0.6.27. Like the Bun issue, it stems from inconsistent state handling—in NGINX's case, between buffer size calculation and data writing passes. This flaw, present in a third of top websites, underscores how subtle logic errors can persist for decades.

Furthermore, Source 4 and 5 report on "Dirty Frag" (CVE-2026-43284 and CVE-2026-43500), a new Linux kernel privilege escalation vulnerability similar to Dirty Pipe. With a public proof-of-concept exploit available, it demonstrates the constant pressure on core system security. These parallel stories emphasize that security is a continuous process of rigorous review and patching, whether for an 18-year-old web server or a brand-new, AI-generated codebase.

Conclusion: The Path Forward for Bun and AI-Assisted Development

The Bun Rust rewrite saga presents a multifaceted lesson. First, it validates the importance of tools like Miri for projects using unsafe Rust. Second, it serves as a stark warning about the limitations of current AI in complex, safety-critical coding tasks. AI can be a powerful assistant, but it cannot replace deep domain expertise, especially for systems programming.

The project's response—acknowledging the bug, applying fixes, and seeking expert help—is a positive step. However, the scale of the required audits suggests the rewrite may have incurred significant technical debt. The ultimate test will be whether the Bun team can systematically review and secure the entire translated codebase, transforming it from a proof-of-concept into a robust, production-ready system. For the wider industry, this episode is a case study in the risks and responsibilities of adopting AI code generation for foundational software components.